Oracle Issues Urgent Security Update for Critical RCE Flaw in Identity Manager and Web Services Manager

Home Cyber Security News Oracle Issues Urgent Security Update for Critical RCE Flaw in Identity Manager... Oracle has issued an out-of-band Security Alert addressing a critical remote code execution (RCE) vulnerability, CVE-2026-21992, affecting two widely deployed Fusion Middleware components, Oracle Identity Manager and Oracle Web Services Manager. The vulnerability carries a CVSS 3.1 base score of 9.8, placing it among the most severe classifications in Oracle’s risk framework. CVE-2026-21992 is an unauthenticated, remotely exploitable flaw that requires no user interaction or special privileges to exploit. The attack vector is network-based with low complexity, meaning a threat actor only needs HTTP access to an exposed endpoint to potentially trigger remote code execution. Both the Confidentiality, Integrity, and Availability impact categories are rated High, indicating that a successful exploit could grant an attacker full control over the affected system. In Oracle Identity Manager, the vulnerability resides in the REST Web Services component, while in Oracle Web Services Manager, the flaw exists within the Web Services Security module. Oracle notes that Web Services Manager is typically installed alongside Oracle Fusion Middleware Infrastructure, expanding the potential attack surface across enterprise deployments. Affected Versions The vulnerability impacts the following product versions: Product Affected Versions Oracle Identity Manager 12.2.1.4.0, 14.1.2.1.0 Oracle Web Services Manager 12.2.1.4.0, 14.1.2.1.0 Both affected versions fall under the Fusion Middleware patch track, with patch documentation available via Oracle’s Security Alert advisory page and My Oracle Support (Document ID KB878741). A CVSS score of 9.8 with no authentication requirement makes this vulnerability particularly dangerous for organizations with internet-facing Oracle Fusion Middleware deployments. Oracle Identity Manager is a widely used identity governance platform, and Oracle Web Services Manager handles security policy enforcement for web services both are critical infrastructure components in large enterprise and government environments. Exploitation of either could result in full system compromise, credential theft, or lateral movement across connected systems. Oracle strongly urges all customers to apply the available patches immediately. The alert, initially released on March 19, 2026, received an updated revision on March 20, 2026, with an additional note from Oracle. Organizations running unsupported versions of the affected products are advised to upgrade to a supported release, as patches are only provided for versions under Premier Support or Extended Support phases per Oracle’s Lifetime Support Policy. Security teams should prioritize patching any externally accessible instances and review HTTP/HTTPS exposure of REST Web Services and Web Services Security endpoints until remediation is complete. Customers can reference the full risk matrix and verbose CVE details on Oracle’s official Security Alerts portal. Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories. RELATED ARTICLESMORE FROM AUTHOR Chrome Chrome Security Update Fixes 26 Vulnerabilities Allowing Remote Code Execution Cyber AI Anthropic Launches Projects Feature for Claude Cowork Desktop Cyber Security News Windows 11 March Update Breaks Microsoft Teams and OneDrive Sign-Ins Top 10 Essential E-Signature Solutions for Cybersecurity in 2026 January 31, 2026 Top 10 Best Data Removal Services In 2026 January 29, 2026 Best VPN Services of 2026: Fast, Secure & Affordable January 26, 2026 Top 10 Best Data Security Companies in 2026 January 23, 2026 Top 15 Best Ethical Hacking Tools – 2026 January 15, 2026